CVE-2019-9951

Western Digital My Cloud, My Cloud Mirror Gen2, My Cloud EX2 Ultra, My Cloud EX2100, My Cloud EX4100, My Cloud DL2100, My Cloud DL4100, My Cloud PR2100 and My Cloud PR4100 firmware before 2.31.174 is affected by an unauthenticated file upload vulnerability. The page web/jquery/uploader/uploadify.php can be accessed without any credentials, and allows uploading arbitrary files to any location on the attached storage.
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:western_digital:my_cloud_mirror_gen_2_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:western_digital:my_cloud_mirror_gen_2:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
cpe:2.3:o:western_digital:my_cloud_ex2_ultra_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:western_digital:my_cloud_ex2_ultra:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND
cpe:2.3:o:western_digital:my_cloud_ex2100_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:western_digital:my_cloud_ex2100:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND
cpe:2.3:o:western_digital:my_cloud_ex4100:*:*:*:*:*:*:*:*
cpe:2.3:h:western_digital:my_cloud_ex4100:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND
cpe:2.3:o:western_digital:my_cloud_dl2100:*:*:*:*:*:*:*:*
cpe:2.3:h:western_digital:my_cloud_dl2100:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND
cpe:2.3:o:western_digital:my_cloud_dl4100_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:western_digital:my_cloud_dl4100:-:*:*:*:*:*:*:*

Configuration 7 (hide)

AND
cpe:2.3:o:western_digital:my_cloud_pr2100_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:western_digital:my_cloud_pr2100:-:*:*:*:*:*:*:*

Configuration 8 (hide)

AND
cpe:2.3:o:western_digital:my_cloud_pr4100:*:*:*:*:*:*:*:*
cpe:2.3:h:western_digital:my_cloud_pr4100:-:*:*:*:*:*:*:*

Configuration 9 (hide)

AND
cpe:2.3:o:western_digital:my_cloud_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:western_digital:my_cloud:-:*:*:*:*:*:*:*

History

21 Nov 2024, 04:52

Type Values Removed Values Added
References () https://bnbdr.github.io/posts/wd/ - () https://bnbdr.github.io/posts/wd/ -
References () https://community.wd.com/t/new-release-my-cloud-firmware-versions-2-31-174-3-26-19/235932 - Release Notes, Third Party Advisory () https://community.wd.com/t/new-release-my-cloud-firmware-versions-2-31-174-3-26-19/235932 - Release Notes, Third Party Advisory
References () https://github.com/bnbdr/wd-rce/ - () https://github.com/bnbdr/wd-rce/ -
References () https://support.wdc.com/downloads.aspx?g=2702&lang=en - Third Party Advisory () https://support.wdc.com/downloads.aspx?g=2702&lang=en - Third Party Advisory

Information

Published : 2019-04-24 18:29

Updated : 2024-11-21 04:52


NVD link : CVE-2019-9951

Mitre link : CVE-2019-9951

CVE.ORG link : CVE-2019-9951


JSON object : View

Products Affected

western_digital

  • my_cloud_ex4100
  • my_cloud_ex2100
  • my_cloud_dl4100_firmware
  • my_cloud_ex2_ultra_firmware
  • my_cloud_pr2100_firmware
  • my_cloud_pr2100
  • my_cloud_dl4100
  • my_cloud_ex2_ultra
  • my_cloud
  • my_cloud_firmware
  • my_cloud_mirror_gen_2_firmware
  • my_cloud_dl2100
  • my_cloud_ex2100_firmware
  • my_cloud_pr4100
  • my_cloud_mirror_gen_2
CWE
CWE-434

Unrestricted Upload of File with Dangerous Type